March 4, 2019
More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018
Comments
(3)
March 4, 2019
More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018
ColdFusion troubleshooter
Wizard 146 posts
Followers: 115 people
(3)

You may have noticed that Adobe released yet another set of updates on Friday, Mar 1, for CF11, 2016, and 2018. This update addresses a specific security risk (marked priority 1, urgent by Adobe). If you may like more info on that update, I can help.

I have a pair of blog posts, on my own site, discussing this update, what it’s about, who may be affected, what protections it adds, and more:

Urgent CF security update released March 1 2019, for CF11/2016/2018, Part 1

CF security update (March 1 2019), part 2: further details, prevention, and more

I also discuss there how to deal with the potential vulnerability if you may not be able to apply the most recent update, or if you are on CF10 or earlier, which are no longer updated.

I know that people may be gun-shy about applying updates after the problems with the Feb 12 updates which affected CF 11 and 2016. Those each received an update to replace that on Feb 25. I would point out that if you have in place already the most recent updates to each (CF2018 update 2 from Feb 12, or CF2016 update 9 or CF11 update 17 from Feb 25), then this latest update ONLY adds support for this security fix, not any other new or changed features.

That said, if you had not applied those prior updates, then yes as always the updates are cumulative and you will get this security fix and all the previous security fixes and feature changes of those prior updates. You should always view the technotes for previous updates you may be skipping, to see what they include. I did a blog post here in the portal:

Finding more about applying ColdFusion updates

In that post I offer links to the technotes for all the prior updates, and I also share a link to my own post with more info if you may experience trouble applying CF updates. Usually it goes smoothly, but things can go amiss, and I help in resolving such common problems.

3 Comments
2019-03-04 22:41:28
2019-03-04 22:41:28

This security bulletin page discusses JDK Requirements for all releases.  CF 2018 and 2016 note “On JEE installations, set the following JVM flag…” while CF 11 says “Additionally, on J2EE installations, set the following JVM flag…”  I don’t know if CF 11 is a typo or the other two are typos and it’s not really clear under what circumstances the test should be added to the jvm.config.  Would you be able to shed some light on this, Charlie?  Thanks.

https://helpx.adobe.com/security/products/coldfusion/apsb19-14.html

Like
(2)
>
jeffh65754959
's comment
2019-03-04 23:23:29
2019-03-04 23:23:29
>
jeffh65754959
's comment

Jeff, this is a lamentable situation. Not the JEE vs J2EE difference (that’s just a reflection of a change in how what used to be called J2EE was renamed by the Java community to be JEE).

Instead, what’s lamentable is that that part of the technote HAS NOTHING TO DO WITH MOST PEOPLE IMPLEMENTING CF.

What they are referring to is those who have deployed CF as a WAR or EAR (something possible since CF 6), onto some Java servlet engine or app server (like jBoss, WebSphere, etc. or even Tomcat–but when you have installed Tomcat yourself).

As you may know, most people install CF not that way (as a JEE web app on some servlet engine they have installed) but instead just as “ColdFusion Server”. And technically that DOES run on Tomcat (since CF10, and before that JRun), and CF DOES technically run as a JEE web app.

But the point is that there is a difference between you deploying CF as a webapp on some servlet engine or app server and CF installing itself on Tomcat. (And that is an option in the CF installer, which again most never would even notice–and don’t usually need.)

So bottom line, that section of the technote about that jvm flag does not apply, unless you are deploying CF *as a war or ear*. Adobe could help folks a LOT by making that simple distinction, rather than use JEE (or J2EE), since technically that covers everyone.

Like
(1)
>
Charlie Arehart
's comment
2019-03-05 13:39:38
2019-03-05 13:39:38
>
Charlie Arehart
's comment

Thanks so much Charlie.  That is much clearer.

Like
Add Comment